Wind farms, and similar power generation facilities, are frequently controlled and monitored remotely. Systems providing such supervisory control and monitoring are generally referred to as SCADA (supervisory control and data acquisition) systems—these involve a central system which provides high level supervision and control, but rely on local implementation of control and monitoring processes. These are performed by local systems at the relevant site—for example, at an individual wind “park”.
Authorisation and access control may be achieved conventionally without difficulty where all control is mediated effectively through a central server. A conventional AAA (authentication, authorization and accounting) server or similar functionality may be used at the central site, and access control of whatever type is required can be used to allow access to SCADA control of individual parks. This may allow whatever mixture of permissions can be provided in conventional systems (for instance, to allow control to the customer, but to allow access to maintenance functions to a park provider and maintenance access to individual engineers).
In some situations, local access to systems will be required. This may be needed for on-site maintenance, or during the construction of the park. Given the remote location of many wind parks and their inherent challenges for network access (high winds will typically disrupt radio communication, for example), authorisation through a central server will frequently be problematic. Conventional authorisation solutions can be used, but are problematic. A conventional approach would involve allowing a remote location to authenticate on the basis of certificates provided by a trusted Certification Authority, which allows for local authentication and hence authorisation without network access provided that the local site has sufficient confidence that the certificates that it checks are still valid. This can be done by regular receipt of CRLs (Certificate Revocation Lists) from the Certification Authority so that certificates that are no longer valid can be identified.
This approach requires regular network traffic to provide satisfactory confidence that all certificates are valid, and so may be problematic if network connectivity is lost for a significant length of time (which may be particularly likely if maintenance is required). Moreover, in many jurisdictions, security requirements for power plants require there to be a centrally managed list of personnel authorized to access plant assets with an associated list of allowed operations for each identified person. Such requirements may require, as is the case in those made by the North American Electric Reliability Corporation (NERC), which is responsible for reliability standards for the North American grid, that it be possible to change and/or revoke permissions and demonstrate that this has been done within a 24 hour period. This is particularly challenging to achieve for remote assets with intermittent network access without inhibiting necessary maintenance access.
While this problem is considered here particularly in the power plant management domain, issues of local authentication and authorisation may arise in many other domains, and solutions may thus be applicable in other technical and commercial areas.